RE: Sql Developer
- From: "Johnson, William L (TEIS)" <WLJohnson@xxxxxxxxxxxxxxxxxxx>
- To: <rgravens@xxxxxxxxx>, <DennisCutshall@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 12 Jun 2007 13:04:01 -0400
I would recommend that you drop a user like scott from your database
unless you have a business reason to keep it. You may feel that this is
a development environment and you want to give folks the freedom to look
around at things they may not see in production. But, consider
this...does your development environment parallel your production
environment in the form of accounts that are present, location of data
files, tablespace names,...giving someone this freedom to look around
gives them an insight into your production system. This insight can end
up giving a hacker a leg-up on breaking things. (Giving folks the
ability to view the password column in the view dba_users will permit
them to use password cracking software to obtain passwords for accounts
like SYS and SYSTEM. Then the garage door is open to the house...
Take a look at this article that is free on Oracle's Technet site for
securing your database. It's informative and a good start to help
secure your database.
http://www.oracle.com/technology/pub/articles/project_lockdown/phase1.ht
ml
Bill
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Rumpi Gravenstein
Sent: Tuesday, June 12, 2007 12:31 PM
To: DennisCutshall@xxxxxxxxxxxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: Re: Sql Developer
What a user can browse is more a reflection on the privileges you've
given the user than insight into a tool's capabilities. In the case
you've described, any user that can logon as Scott will be able to
browse the same objects. What the tool is doing for you is shining some
light on the privileges the Scott account has been granted. I would
think that in a development setting this would be a good thing as many
of the system objects should be helpful in the building of your
applications. In production the privileges should be limited to what is
needed.
On 6/12/07, Dennis Cutshall <DennisCutshall@xxxxxxxxxxxxxxxxxx> wrote:
Hi,
We are looking at using Oracle's SQL Developer as a development tool.
Does anyone have any experience with this product? If so, please pass
on your findings. We are particularly concerned about security. We
noticed that any user e.g. Scott, can look at many of the objects in SYS
and SYSTEM. Is this a concern, or are those normally public?
Dennis
Dennis Cutshall
Data Base Administrator
University of North Dakota ITSS
Phone: <chrome://skype_ff_toolbar_win/content/cb_transparent_l.gif>
<chrome://skype_ff_toolbar_win/content/famfamfam/us.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/arrow.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif> (701) 777-4109
<chrome://skype_ff_toolbar_win/content/cb_transparent_r.gif>
Fax: (701)777-3978
E-Mail: DennisCutshall@xxxxxxxxxxxxxxxxxx
--
Rumpi Gravenstein
Other related posts:
